Skip navigation EPAM
  • CONTACT US
  • Enter your search query or select one from the list of frequent searches below. Use up and down arrows to review and enter to select.

Vulnerability Disclosure Policy

Introduction

Cyber R&D Lab’s mission is to fortify the security of the software, products and services that everyone depends on. We’re security researchers who release our discoveries in order to move the information security industry forward.

This Vulnerability Disclosure Policy defines how ethical disclosure works when we discover vulnerabilities within a 3rd party vendor’s product. It also provides instructions on how to report the discovery of a vulnerability within our website and public resources.  

Our responsible engagement with vendors

Throughout the vulnerability disclosure process, we perform the following key roles:

  • Discover vulnerabilities in vendors software, products and services.
  • Inform the vendor of the vulnerability within their product.
  • Maintain confidentiality while the vendor works to remediate the vulnerability.
  • Partner closely with the vendor to explain the importance of their vulnerability. If needed, we provide best practices for its resolution.

We believe that prompt and ethical disclosure of the vulnerability achieves a more secure environment for everyone. We contact through (but not limited to) the vendor’s:

  • Computer Security Incident Response Team (CSIRT) contact or other security-related contact.
  • General contact information provided in their Vulnerability Disclosure Policy.
  • Public social channels (e.g., LinkedIn or Twitter).

After initial contact, our goal is to maintain a collaborative partnership with the vendor. We will:

  • Provide the vendor with any additional vulnerability details necessary as they work through their remediation process.
  • Maintain confidentiality around the vendor’s vulnerability and how it affects their product.
  • Adhere to an industry-standard 90-day public disclosure period that starts at our initial attempt to communicate our findings to the vendor. Nearly all vendors can remediate a vulnerability in 90-days or less. Under special circumstances, this period might be extended. We publicly disclose the vulnerability after its remediation. When vendors release their vulnerability fix before the ninetieth (90th) day, we may publicly disclose our findings immediately after that fix’s release.

In rare situations, a vendor may remain unresponsive despite several contact attempts from us. In these cases, we have a choice of ignoring the vulnerability, or disclosing it within the information security community. Our last option is to publicly disclose a vendor's vulnerability on our website. Often, public disclosure isn't desirable as criminals may exploit them. We will use our best discretion to disclose only the least detail necessary, leaving out the key details hackers might need to initiate attacks.

We believe this Vulnerability Disclosure Policy effectively balances our goals of maintaining vendor confidentiality and moving security research forward. The policy remains in alignment with our greater mission of enhancing industry security. 

Contacting Cyber R&D Lab

If you have questions about this policy, technical or security-related issues with the website, or other questions then please use our Contact Form.

If a vulnerability is sent, we will promptly investigate the issue found, and fix it as quickly as possible. We request you maintain confidentiality about the issue you found throughout our remediation process.